Enable and configure SASL authentication

Aiven for Apache Kafka® provides multiple authentication methods to secure Kafka data, including Simple Authentication and Security Layer (SASL) over SSL.

Enable SASL authentication

Aiven Console

1. Access the Aiven Console and select your Aiven for Apache Kafka service.
2. Click Service settings.
3. Scroll to Advanced configuration and click Configure.
4. Click Add configuration options.
5. Select kafka_authentication_methods.sasl from the list and set the value to Enabled.
6. Click Save configurations.

The Connection information in the Overview page now allows connections via SASL or Client certificate.

note

Although these connections use a different port, the host, CA, and user credentials remain consistent.

CLI

Enable SASL authentication for your Aiven for Apache Kafka service using Aiven CLI:

1. Get the name of the Aiven for Apache Kafka service:

   avn service list

   Note the SERVICE_NAME corresponding to your Aiven for Apache Kafka service.

2. Enable SASL authentication:

   avn service update SERVICE_NAME -c kafka_authentication_methods.sasl=true

   Parameters:

   • SERVICE_NAME: Name of your Aiven for Apache Kafka service.
   • kafka_authentication_methods.sasl: Set to true to enable SASL authentication.

API

Use the ServiceUpdate API to enable SASL authentication on an existing service:

 curl -X PUT "https://console.aiven.io/v1/project/{project_name}/service/{service_name}" \
   -H "Authorization: Bearer <API_TOKEN>" \
   -H "Content-Type: application/json" \
   -d '{
         "user_config": {
           "kafka_authentication_methods": {
             "sasl": true
           }
        }
     }'

Parameters:

• project_name: Name of your Aiven project.
• service_name: Name of your Aiven for Apache Kafka service.
• API_TOKEN: Personal Aiven token.
• kafka_authentication_methods.sasl: Set to true to enable SASL authentication.

Configure SASL mechanisms

After enabling SASL authentication, fine-tune the active SASL mechanisms for your Aiven for Apache Kafka service. By default, all mechanisms (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512) are enabled. Configure these settings only to disable any mechanisms.

Aiven Console

1. Access the Aiven Console and select your Aiven for Apache Kafka® service.

2. Click Service settings.

3. Scroll to Advanced configuration and click Configure.

4. In the Advanced configuration window, set the corresponding kafka_sasl_mechanisms value to either Enabled or Disabled:

   • PLAIN: kafka_sasl_mechanisms.plain
   • SCRAM-SHA-256: kafka_sasl_mechanisms.scram_sha_256
   • SCRAM-SHA-512: kafka_sasl_mechanisms.scram_sha_512

5. Click Save configurations.

CLI

Configure SASL mechanisms for your Aiven for Apache Kafka service using Aiven CLI:

1. Get the name of the Aiven for Apache Kafka service:

   avn service list

Note the SERVICE_NAME corresponding to your Aiven for Apache Kafka service.

1. Configure specific mechanisms:

   avn service update SERVICE_NAME             \
    -c kafka_sasl_mechanisms.plain=true          \
    -c kafka_sasl_mechanisms.scram_sha_256=true  \
    -c kafka_sasl_mechanisms.scram_sha_512=true

   Parameters:

   • SERVICE_NAME: Name of your Aiven for Apache Kafka service.
   • kafka_sasl_mechanisms.plain: Set to true to enable the PLAIN mechanism.
   • kafka_sasl_mechanisms.scram_sha_256: Set to true to enable the SCRAM-SHA-256 mechanism.
   • kafka_sasl_mechanisms.scram_sha_512: Set to true to enable the SCRAM-SHA-512 mechanism.

API

Use the ServiceUpdate API to enable SASL authentication on an existing service:

curl -X PUT "https://console.aiven.io/v1/project/{project_name}/service/{service_name}" \
     -H "Authorization: Bearer <API_TOKEN>" \
     -H "Content-Type: application/json" \
     -d '{
           "user_config": {
             "kafka_authentication_methods": {
               "sasl": true
             }
           }
         }'

Parameters:

• project_name: Name of your Aiven project.
• service_name: Name of your Aiven for Apache Kafka service.
• API_TOKEN: API token for authentication.
• kafka_sasl_mechanisms.plain: Set to true or false to enable or disable the PLAIN mechanism.
• kafka_sasl_mechanisms.scram_sha_256: Set to true or false to enable or disable the SCRAM-SHA-256 mechanism.
• kafka_sasl_mechanisms.scram_sha_512: Set to true or false to enable or disable the SCRAM-SHA-512 mechanism.

note

• At least one SASL mechanism must remain enabled. Disabling all results in an error.
• OAUTHBEARER is enabled if sasl_oauthbearer_jwks_endpoint_url is specified.

Enable public CA for SASL authentication

After enabling SASL authentication, enable the public CA if Kafka clients cannot install or trust the default project CA.

Aiven Console

1. Access the Aiven Console and select your Aiven for Apache Kafka service.

2. Click Service settings.

3. Go to the Cloud and network section, click Actions > More network configurations.

4. In the Network configuration dialog:

   1. Click Add configuration options.
   2. Find letsencrypt_sasl (or letsencrypt_sasl_privatelink for PrivateLink).
   3. Select the configuration option.
   4. Set the value to Enabled.
   5. Click Save configurations.

The Connection information on the Overview page now supports SASL connections using either Project CA or Public CA.

CLI

Enable the public CA for SASL authentication using the Aiven CLI:

1. List the services in your project to find the Kafka service name:

   avn service list

   Note the SERVICE_NAME for the Kafka service.

2. Enable public CA for SASL authentication:

   avn service update SERVICE_NAME -c CONFIG_NAME=true

   Parameters:

   • SERVICE_NAME: Name of your Aiven for Apache Kafka service.
   • CONFIG_NAME: Name of the configuration parameter to set. Use letsencrypt_sasl for enabling public CA for SASL authentication via regular routes or letsencrypt_sasl_privatelink via PrivateLink connection.

API

Use the ServiceUpdate API to enable public CA for SASL authentication on an existing service:

curl -X PUT "https://console.aiven.io/v1/project/{project_name}/service/{service_name}" \
     -H "Authorization: Bearer <API_TOKEN>" \
     -H "Content-Type: application/json" \
     -d '{"user_config": {"letsencrypt_sasl": true}}'   # or letsencrypt_sasl_privatelink for PrivateLink

Terraform

1. Create or update your Aiven for Apache Kafka service resource:

resource "aiven_kafka" "example_kafka" {
  plan                    = "business-4"
  project                 = data.aiven_project.example_project.project
  service_name            = "example-kafka"

  kafka_user_config {
    letsencrypt_sasl = true   # or letsencrypt_sasl_privatelink for PrivateLink
  }
}

1. To find the correct port to use for a specific route, use the read-only components list with appropriate filters in the aiven_service_component data source

   For example:

   data "aiven_service_component" "sc1" {
   project                     = aiven_kafka.kafka.project
   service_name                = aiven_kafka.example_kafka.service_name
   component                   = "kafka"
   route                       = "dynamic"
   kafka_authentication_method = "sasl"
   kafka_ssl_ca                = "letsencrypt"
   }

note

• The public certificate is issued and validated by Let's Encrypt, a widely trusted certification authority. For details, see How It Works

• When enabling the public CA over a PrivateLink connection, network configuration may take several minutes before clients can connect. A new port must be allocated and the load balancer route table updated before clients can connect.

Related pages

• Enable OAUTH2/OIDC authentication for Aiven for Apache Kafka
• Authentication types